CVE-2025-64094 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the Dnn.Platform content management system (CMS), an open-source Microsoft ecosystem web platform. The vulnerability exists in versions prior to 10.1.1 due to incomplete sanitization of SVG file content uploaded to the platform. SVG files can contain embedded scripts or malicious payloads; the sanitization mechanism in Dnn.Platform failed to neutralize all possible vectors, allowing attackers to inject arbitrary JavaScript code. This vulnerability is a regression from a previous fix (CVE-2025-48378), indicating that the patch was insufficient or improperly implemented. Exploitation requires an attacker with some level of privileges (PR:L) to upload malicious SVG content but does not require user interaction (UI:N). The attack vector is network-based (AV:N), meaning it can be exploited remotely. The vulnerability affects confidentiality and integrity (C:L/I:L) but not availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, such as user sessions or other parts of the application. No known exploits have been reported in the wild as of the publication date. The vulnerability was published on October 28, 2025, with a CVSS v3.1 score of 6.4, indicating medium severity. The fix is included in Dnn.Platform version 10.1.1, which addresses the incomplete sanitization of SVG uploads to prevent XSS attacks.

For European organizations, this vulnerability poses a risk primarily to web applications and portals built on Dnn.Platform versions prior to 10.1.1 that allow SVG file uploads. Successful exploitation could lead to the execution of malicious scripts in the context of the affected web application, enabling attackers to steal session cookies, perform unauthorized actions, or conduct phishing attacks against users. This compromises confidentiality and integrity of data and user sessions. Organizations with public-facing websites or intranet portals using vulnerable Dnn.Platform versions are at higher risk. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, government, and critical infrastructure. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities. Although no exploits are currently known in the wild, the medium CVSS score and the nature of XSS vulnerabilities warrant proactive mitigation to prevent potential targeted attacks. The vulnerability's requirement for some privileges to upload SVG files limits exposure but does not eliminate risk, especially in environments with multiple user roles or less restrictive upload controls.

1. Upgrade all instances of Dnn.Platform to version 10.1.1 or later immediately to apply the official fix for this vulnerability. 2. Review and restrict the ability to upload SVG files to trusted users only, minimizing the attack surface. 3. Implement additional server-side validation and sanitization of SVG content using specialized libraries that thoroughly parse and clean SVG files to remove scripts or malicious elements. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 5. Conduct regular security audits and penetration testing focused on file upload functionalities and input sanitization mechanisms. 6. Monitor web server logs and application behavior for unusual activity related to SVG uploads or script execution attempts. 7. Educate developers and administrators about secure handling of SVG files and the risks associated with incomplete sanitization. 8. Consider disabling SVG uploads if not strictly necessary or replacing SVG with safer image formats where feasible.